Corporate Risk Management
Corporate riskmanagementCHAPTER 8Global Report 2019A business, financial and sustainability overview
106Amadeus Global Report 20198. Corporate risk managementGRI 102-11, 102-16, 102-17, 102-30GRI 103-1, 103-2, 103-3 (Compliance,governance & business ethics)GRI 103-1, 103-2, 103-3 (Human rights)Corporate riskmanagementCHAPTER 8Amadeus adopted the Three Lines of Defense Modela few years ago with the endorsement of the Boardof Directors and the Executive Committee. Thismodel integrates, coordinates and aligns all Amadeussupport and assurance functions for the effectivemanagement of risk across the Group.Since its adoption, the model has fostered effectiverisk management across Amadeus, especially throughthe adoption of a Combined Assurance concept,through which we have expanded the coordinatedmanagement of control activities and the sharingof results.Three Lines of Defense and Combined AssuranceHuman resourcesFinancial controlLegalSecurityRisk managementData privacyComplianceLine and supportmanagementHas ownership, responsibilityand accountability forassessing, controlling andmitigating risksMonitors and facilitates theimplementation of effective riskmanagement practices by the 1stline and assists risk owners inreporting risk-related informationthroughout the organizationInternal auditRegulatorsExternal auditLine ofDefenseGoverning body / Board / Audit CommitteeSenior managementLine ofLine ofDefenseDefenseProvides assurance to the Group’sgoverning body and senior management onthe organization’s effectiveness in assessingand managing risks and related internalcontrol systems, including the manner inwhich the 1st and 2nd lines operate
GRI 102-11, 102-16, 102-17, 102-30, 205-1GRI 103-1, 103-2, 103-3 (Compliance,governance & business ethics)GRI 103-1, 103-2, 103-3 (Human rights)8. Corporate risk managementFirst Line of Defense:executive management,management and staffAmadeus Global Report 2019Commitment to the environmentAvoiding conflicts of interestProtecting personal data and confidentialityHandling relations with third parties and themedia in a sensitive mannerHandling company property, equipment andinstallations with careAmadeus’ commitment to integrity and transparencybegins with its own staff. Amadeus employees adhereto the ethical standards set forth in the AmadeusCode of Ethics and Business Conduct and relatedpolicies. We don’t see this code and our core policiespurely as a “rule book,” but as a mutual agreementacross the company to promote positive behaviorsthat will add value to our business and ensure thehighest standards of integrity at all times. The areascovered in the code are:In 2017 we drew up our Human Rights Policy,affirming our commitment to international humanrights. We expect all our suppliers and businesspartners to uphold internationally recognizedstandards regarding working conditions and thedignified treatment of employees.Human rights form part of Amadeus’ risk analysisframework. We evaluate the risks of infringing on thefollowing rights:Non-discriminationCollective bargainingAmadeus policiesCompliance policiesLegal policiesAmadeus Code of Ethicsand Business ConductAnti-Bribery PolicyAnti-Fraud PolicyBusiness Continuity PolicyEntertainment/Gi PolicyInformation Classification PolicySpeak Up PolicyCorporate Privacy PolicyACO Privacy ManualAntitrust and Competition Law –Compliance ManualInternal Rules of Conductto the Securities MarketSecurity and Privacy HandbookFinance policiesCorporate Purchasing PolicyHumanresources policiesAmadeus Human Rights PolicyHealth and Safety PolicyIndustry affairs policiesAmadeus Environmental PolicyCharitable Contributions PolicyPolitical Contributionsand Lobbying PolicySocial Responsibility Policyand PracticeInformation security policiesAcceptable Use Policies107
108Amadeus Global Report 20198. Corporate risk managementFreedom of associationFair wagesNo child labor or forced laborAdequately healthy and safe working conditionsAlthough such risks fall very low on our risk map, we have aseries of mitigating and monitoring actions to manage them, bothinternally and with our suppliers and business partners.Our mergers and acquisitions procedures also include due diligenceon human rights–related risks. Our Integration team ensures thatAmadeus’ policies are effectively implemented into newly integratedcompanies. And our Speak Up Policy encourages employees toreport any breach of the Code of Ethics and Business Conduct,including potential human rights violations.During 2019 no significant breaches of the Code of Ethics andBusiness Conduct were reported.GRI 102-11, 102-16, 102-17, 102-30, 205-1GRI 103-1, 103-2, 103-3 (Compliance, governance & business ethics)GRI 103-1, 103-2, 103-3 (Human rights)Security Office. The Combined Assurance program coordinates itsactivities with other functions focused on business control. Thisincludes our Regional Business Oversight commissions (made up ofsenior personnel from Legal, HR, Finance and our business units)and our Internal Financial Controls unit (oversees compliance withthe Internal Control over Financial Reporting (ICFR) standard).Risk & Compliance develops Amadeus’ Corporate Risk Map andestablishes control and monitoring procedures for each of theidentified risks, in conjunction with the owner responsible for eachrisk. The risks ascertained from this analysis, as well as monitoringmeasures, are reported on a regular basis to the Risk SteeringCommittee and the Audit Committee, as well as the ExecutiveCommittee and the Board of Directors.We continually monitor the most significant risks that could affectthe activities and objectives of Amadeus and its companies.Amadeus’ general policy regarding risk management and monitoringfocuses on:The core policies listed below are supported by systems whichundergo regular internal and external quality reviews to ensureregulatory compliance and application of best practices. We haveinstruments in place for employees to seek advice on whethercertain activities are considered ethical or lawful according toour corporate policies. One key instrument, the Ethics Committee,provides guidance as well as receives reports of any unethical orunlawful behavior.Second Line of Defense: internalgovernance functionsControl activities are embedded in all areas of the company. Majorcontrol activities are carried out from departments such as Risk &Compliance, Security, Privacy, Legal, Finance and People & Culture.Risk management and controlsRisk & Compliance is responsible for centralizing the continuousmonitoring of major risk and compliance issues within Amadeus.It also leads a transversal Combined Assurance program alsoinvolving the Group Privacy Unit and the Corporate InformationAchieving the company’s long-term objectives in line with itsestablished strategic planGiving the maximum level of guarantees to shareholders anddefending their interestsProtecting the company’s earningsProtecting the company’s image and reputationGiving the maximum level of guarantees to customers anddefending their interestsGuaranteeing corporate stability and financial strength over timeThe ultimate aim of the Corporate Risk Map is to provide visibilityon significant risks and facilitate effective risk management. Riskanalysis is a fundamental element of the company’s decisionmaking processes, both within the governing bodies and in themanagement of the business as a whole.The Corporate Risk Map also takes into account the global risksidentified each year by the World Economic Forum1 – such aseconomic, environmental, geopolitical, societal and technological risks.The Corporate Risk Map takes into account issues or risks that couldimpede Amadeus from achieving its strategic objectives as well asother issues that have not yet manifested sufficiently to be managed– commonly referred to as “known unknowns” or emerging risks.1World Economic Forum (2019). Global Risks Report 2019, 14th Edition.
GRI 102-11, 102-16, 102-17, 102-30, 205-1GRI 103-1, 103-2, 103-3 (Compliance, governance & business ethics)GRI 103-1, 103-2, 103-3 (Data security & privacy protection)These are newly developing or changing risks that are difficult toidentify and quantify and could have a major impact on society andthe industry. Examples include:Increased share of elderly travelers. We need to understandthe particular requirements of this segment of travelers. Ourdevelopment teams are designing products and services toadapt to this growing market.Extremely fast digital development. New economic modelsof travel distribution emerge as a consequence of rapidtechnological changes. We are mitigating this risk througha combination of measures that include R&D investment,strengthened customer relationship and innovation initiatives,among others.Climate change. Risks for our business include both the physicaleffects of climate change, as well as behavioral change fromtravelers. We are considering how to include sustainability concernsin the travel purchase process, in addition to our initiatives toreduce emissions in our operations and for our customers.The latest version of the Corporate Risk Map defines the most criticalrisks relating to Amadeus’ operations and objectives, including:Technological risks derived from failures in the infrastructure orcaused by cyber-attacksOperational risks that could affect the efficiency of businessprocesses and servicesSecurity and compliance risksCommercial risks that could affect customer satisfactionReputational risksThe macro-economic and geopolitical environmentTrends in the travel and tourism industrySome of these risks have evolved from the previous Corporate RiskMap, while others have been newly identified.These highlighted risks are assigned to risk owners at the highestlevel of the company, who are given the duty of proposing therisk response. Progress with mitigation and evolution of keyrisks is submitted to the Risk Steering Committee for reviewand consideration, together with any proposed action plans fornecessary measures or further actions.Due to its transversal and dynamic character, this process identifiesnew risks that affect Amadeus arising from changes in theenvironment or the revision of objectives and strategies.In the current business environment, with its increasing stakeholderdemand for transparency, ethics and social responsibility,8. Corporate risk managementreputational risk management is becoming increasingly relevant.The Amadeus Reputational Risk Map is fully integrated into theoverall Corporate Risk Map of the company. So assessing thereputational impact of a particular risk is embedded into ourmethodology. Similarly, cybersecurity risks are managed througha security risk framework driven by our Corporate InformationSecurity Office, which is also integrated into the Corporate Risk Map.In addition to managing risks, Amadeus is very focused on ensuringcompliance with initiatives such as the General Data ProtectionRegulation (GDPR) of the European Union. Our activities also extendto existing control standards such as PCI-DSS (credit cards), SOC 1(computer controls) and ISO 27001 (security).Amadeus, like any other organization, is exposed to risks that couldsignificantly disrupt key internal services to Amadeus as well asexternal IT services that we provide to customers. To ensure minimaldisruption in such catastrophic events, Amadeus has implemented aBusiness Resilience Program designed to protect our people, assets andinfrastructure, and minimize the potential impact to acceptable limits.Finally, through the training and awareness plan coordinated by Risk &Compliance, we try to ensure that all employees understand and applybest practices on ethical behavior as well as security and privacy.The Risk & Compliance Office works closely with the following committees:The Ethics Committee, which provides guidance on ethicalbehavior and compliance issues. This committee also addressesany concerns that employees may have and assists in theimplementation of the Code of Ethics and Business Conduct.Promoting integrity, transparency and ethical conduct in allour operations is very important to us, and we have a zerotolerance approach to prohibited practices, both in our internalaffairs and external operations.The Risk Steering Committee, which is a decision-making bodyempowered by the Executive Committee to provide oversightand guidance on risk management activities and issues acrossAmadeus. This includes risk assessment and prioritization, riskmitigation strategies and crisis response.Both the Ethics Committee and the Risk Steering Committee meetseveral times a year.Amadeus Corporate InformationSecurity OfficeAmadeus continuously reviews and improves its processes to keepahead of upcoming threats, ensuring that technical controls areAmadeus Global Report 2019109
110Amadeus Global Report 20198. Corporate risk managementGRI 103-1, 103-2, 103-3 (Data security & privacy protection)Amadeus Corporate Information Security OfficeRegional security officesExtended security awareness and controlto all Amadeus regions and subsidiariesISO 27001certificationISO 27001 level 3 certificationat Amadeus corporate levelSecurityOperationsCenterEnsures that:Access controlEnsure that only authorizedpersons have access to confidentialinformation on a need-to-knowand need-to-handle basisAll security policies and securityarchitecture standards are properlymonitored and controlled.SSDLC*Ensure the implementation ofsecure so ware developmentmethodologies accordingto SSDLC standardsSecuritynormative frameworkPolicies and framework areimplemented and used toassess security risks.Mitigation plans put in placeAmadeus is protected againstknown threats and attacks.Security incidents are handledwith proper communication.Security incidents areinvestigated and contained.Artificial intelligence is usedto identify vulnerabilities.User behavior analytics are usedto provide us with actionableinsights by identifying patternsof traffic caused by user behaviors,both normal and malicious.PCI-DSS** complianceEnsure that Amadeus is PCI-DSScompliant and that we areprepared for changes in PCI-DSScompliance requirementsSecurity by designEnsure that security is observedfrom the beginning of every newproduct and projectData leak preventionSecurity awarenessEnsure that critical information inany format does not leak out tounauthorized persons/destinationsCreate and follow up onemployee security awareness* SSDLC: Secure So ware Development Life Cycle.** PCI-DSS: Payment Card Industry Data Security Standard.
GRI 102-13, 102-30GRI 103-1, 103-2, 103-3 (Compliance, governance & business ethics)8. Corporate risk managementexercise to verify and update our audit priorities. This considers,among other dimensions: The Group’s strategic objectives and projects The Corporate Risk Map Internal/external challenges and enablers identifiedthrough interviews with senior management and majorcontrol functions Magnitude and geographical footprint of the Group’s entitiesand activitiesconsidered and addressed, and that our people are aware of ourpolicies, controls and processes to avoid or minimize the impact ofthese threats. We follow the ISO 27001 standard, including:Corporate security objectives and controls set by our CorporateInformation Security Office.Our Security Risk Map, which gives priorities for theimplementation of mitigations.A maturity assessment carried out by a third party to identifysecurity gaps, which are also monitored and followed in ourCorporate Security Program. Audit cyclesThe output leads to the formalization and approval by the AuditCommittee of a yearly internal audit plan.All these activities are monitored and controlled by our CorporateSecurity Program (SHIELD).From a global operations and technology perspective, Amadeus hasestablished an independent Security Operations Center to monitor atall times the security status of the services we provide to customers.This service also helps us understand emerging technical threats andinvest in the most appropriate technology to mitigate new risks.Since January 2017 Amadeus has been a member of the AviationInformation Sharing and Analysis Center (A-ISAC), showing ourcontinuous commitment to increasing our customers’ trust and thesharing of best practices.Third Line of Defense:Group Internal AuditAmadeus’ Group Internal Audit:Supports the Audit Committee in monitoring the effectiveness ofthe company’s internal control and risk management systems.Provides independent and objective assurance and consultingservices designed to add value and improve Amadeus’operations. It helps accomplish our goals by using a systematic,disciplined approach to evaluate and improve the effectivenessof governance, risk management and control processes. Thisincludes the potential for fraud and how the organizationmanages fraud risk.Covers all companies, businesses and processes majorityowned or controlled by Amadeus. Every year, Group InternalAudit performs a thorough background and risk assessmentThe legal entities included in Group Internal Audit reviewsduring 20192 represented more than 60% of the total Amadeusworkforce. The main risks identified during internal auditing arereported to senior management and the Audit Committee, andtheir status is periodically updated until resolution or acceptanceby the governing bodies.As an optimum complement to its independent reviews, GroupInternal Audit holds periodic coordination meetings with the maincontrol, business and technology units.The reporting lines and authority of Group Internal Audit are setby the Audit Committee to ensure that it has sufficient authorityto carry out its duties. To ensure Internal Audit’s objectivity, itsstaff have no direct operational responsibility or authority overany of the activities audited. Accordingly, internal auditors do notimplement internal controls, develop procedures, install systems,prepare records or engage in any other activity that may impairtheir judgment.Group Internal Audit is governed according to the mandatoryelements of the Institute of Internal Auditors’ (IIA) InternationalProfessional Practices Framework (IPPF). This includes its CorePrinciples, its Definition of Internal Auditing, its InternationalStandards and its Code of Ethics. Group Internal Audit also runs aQuality Assurance & Improvement Program that combines ongoingmonitoring with periodic internal and external assessments.The program includes the evaluation of Group Internal Audit’sconformance with the IPPF. It also assesses the efficiency andeffectiveness of Group Internal Audit and identifies opportunities forcontinuous improvement.Including internal audit reviews, and the assessment of the design andeffectiveness of the Internal Control over Financial Reporting (ICFR) and theCorporate Crime Prevention (CCP) models.2Amadeus Global Report 2019111
Provides assurance to the Group’s governing body and senior management on . Committee and the Audit Committee, as well as the Executive Committee and the Board of Directors. . Global Risks Report 2019, 14th Edition. GRI 102-11, 102-16, 102-17, 102-30, 205-1 8. Corporat
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Tunnelling Risk Assessment 0. Abstract 1. Introduction and scope 2. Use of risk management 3. Objectives of risk assessment 4. Risk management in early design stages 5. Risk management during tendering and contract negotiation 6. Risk management during construction 7. Typical components of risk management 8. Risk management tools 9. References .
corporate governance and risk management within . their organisations and as representatives elsewhere. 6. To encourage the development of corporate governance and risk management best practice for entities beyond companies. 7. To promote the development of sector-specific guidance on corporate governance and risk . management. 8.
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
Standard Bank Group risk management report for the six months ended June 2010 1 Risk management report for the six months ended 30 June 2010 1. Overview 2 2. Risk management framework 3 3. Risk categories 6 4. Reporting frameworks 8 5. Capital management 10 6. Credit risk 17 7. Country risk 36 8. Liquidity risk 38 9. Market risk 42 10 .
The central part of a risk management plan is a document that details the risks and processes for addressing them. 1. Identify and assess the Risks 2. Determine Risk Response Strategy Avoid the risk Transfer the risk Mitigate the risk Accept the risk 3. Execute a risk management plan 4. Monitor the risks and enhance risk management plan
1.5 Tactical Risk Decisions and Crisis Management 16 1.5.1 Risk preparation 17 1.5.2 Risk discovery 17 1.5.3 Risk recovery 18 1.6 Strategic Risk Mitigation 19 1.6.1 The value-maximizing level of risk mitigation (risk-neutral) 19 1.6.2 Strategic risk-return trade-o s for risk-averse managers 20 1.6.3 P
